Embed Size (px)
Citation preview
Operational Risk under the Basel II
Capital Adequacy Framework*
by
Ted Lindblom, Magnus Olsson and Magnus Willesson School of Business, Economics and Law, University of Gothenburg, Sweden.
Abstract
The Basel II capital adequacy framework constitutes a very comprehensive regulatory
approach to risk assessment in banks. It is far more detailed and sophisticated than the
first Basel accord. A special feature is that the new accord is not only targeting banks‘
financial risk exposures in terms of credit risks and market risks. The scope has been
widened to also explicitly incorporate banks‘ exposure to operational risks in the
capital adequacy requirement. For banks this novelty means a major change. Unless
they choose to use the highly unsophisticated ‗basic indicator approach‘ or the
‗standardized approach‘ proposed in the new Basel accord, it will put significant
pressure on them to develop and design appropriate internal risk information models
and systems. In this paper we explore banks‘ operational risk assessment under Basel
II in Sweden, where all banks—regardless of size—have to comply with the new
regulatory framework. The overall aim is to provide deeper insights into the capability
of banks to identify and measure exposures to operational risk and their choice of
method for calculating regulatory capital against such exposures.
Preliminary draft
Please do not quote without authors’ permission.
Corresponding author: Ted Lindblom
Address: School of Business, Economics and Law, University of Gothenburg
Box 600, SE 405 30 Gothenburg
E-mail: [email protected]
Phone: +46 31 7861497
* Acknowledgements: The authors wish to thank the Swedish Financial Supervisory Authority for providing data
on Swedish banks‘ compliance with the Basel II accord, the Swedish savings banks taking part in our survey,
and the Jan Wallander and Tom Hedelius‘ Foundation for financial support.
2
1. Introduction
“The impact of Basel II has been compared to preparing for the millennium bug.
It is more complex than that.” (Wilson, 2004:297)
To comply with the Basel II accord is a great challenge for banks, just as it is a
challenge for the regulatory body to properly supervise and evaluate their compliance.
The new accord constitutes a far more comprehensive approach to banks‘ exposure to
risks than did its predecessor, Basel I. The first accord was targeting banks‘ financial
risk exposure in terms of credit risks and, lately, also market risks. This was done
through a rather rigid and rough capital adequacy model based on an arbitrary risk
classification of the banks‘ on and off balance sheet assets into one of four buckets—
each with a fixed risk weight (0, 20, 50 or 100 per cent) that did not necessarily
correspond to actual default risk of the assets in the specific bucket. In Basel II, the
determination of regulatory capital of a bank is more accurate and calibrated what
regards risk assessment. The emphasis is not only on the bank‘s exposure to different
kinds of financial risk, but also on its operational risk exposure. Hence, with Basel II
the scope has been widened to explicitly incorporate banks‘ exposure to operational
risks in the calculation of capital adequacy requirement. For banks this novelty means
a major change, which is putting pressure on their development and design of internal
risk information models and systems (Power, 2005; Flores, Bónson-Ponte & Escobar-
Rodríguez, 2006; Fontnouvelle et al, 2006; Raghavan, 2006; Bonsón, Escobar &
Flores, 2007). This implies that operational risk is a new phenomenon in banking,
which is of course not true even though the emphasis of most banks has hitherto been
set mainly on their exposure to financial risks. “Traditionally in the risk family
hierarchy, market risk was king, credit risk was queen and operational risk was the
elephant in the corner” (Wold, 2006:22).
The Basel I accord has in principle been criticized already from the very beginning
when it was introduced and implemented at the end of the 1980s, over its refinement
with the 1998 amendment for adopting market risks, to its final replacement with
Basel II at the beginning of 2007 (Hendricks & Hirtle, 1997; Garside & Bech, 2003;
Power, 2005; Bergendahl & Lindblom, 2007). The major avenue of criticism was
directed towards its broad buckets of asset risk-weights and the ‗one size fits all
approach‘ (Avery & Berger, 1991; Jones, 2000; Calem & LaCour-Little, 2004). In
Basel I an asset of a bank with a sound and sophisticated risk management system was
not treated differently than an asset (in the same bucket) of a bank with a less
developed risk assessment approach. Instead this and other anomalies gave
sophisticated banks opportunities for ‗regulatory arbitrage‘ (Aparicio & Keskiner,
2004; Calem & LaCour-Little, 2004; Rowe, Jovic & Reeves, 2004). “Basel I had a
3
specific effect in banks’ strategies: they have rearranged their asset portfolio away
from high-risk weighted asses and towards lower-risk weighted assets.” (Lastra, 2004:
230).
The design of the Basel II accord clearly demonstrates that the Basel Committee had
carefully listened to the critics. The new accord offers a variety of more or less
advanced approaches for banks to assess risks and determine regulatory capital more
in accordance with the true economic capital (see Lindblom & Olsson, 2007 for a
recent exposé). Banks may even qualify to use their own internally developed risk
models and systems for identifying and measuring risk exposures, for accurately
managing these exposures and, for allocating adequate capital to cover unexpected
risk-related losses. This spirit of ‗self regulation‘ marks a paradigmatic shift away
from the centralized ‗top-down‘ supervision that has guided bank regulations long
before the first Basel accord. Studies like the Quantitative Impact Study 3 (BIS, 2003)
and BIS (2005) suggest that larger and many mid-sized banks are most likely to take
the opportunity to become qualified for using an internal ratings based approach to
calculate the regulatory capital required with respect to their exposures to credit and
market risks. Most small banks will use the standardized approach, but there are
exceptions. Lindblom & Olsson (2007) expect some of the independent savings banks
(ISBs) in Sweden to adopt the internal ratings based foundation approach despite the
fact that most ISBs are comparatively small in size. However, the potential and
capability of these banks, and banks in general, to choose and use a sophisticated
internal method for determining adequate capital to be held for operational risk
exposures is less evident, let alone to get the supervisory authority‘s approval to adopt
an internally developed advanced measurement approach.
Until Basel II most banks are likely to have paid operational risk exposure only minor
attention. As Power (2005:577) states “operational risk was largely a residual
category for risks and uncertainties which were difficult to quantify, insure and
manage in traditional ways”. However, after Basel II and conspicuous debacles, like
the Baring‘s collapse, Daiwa Bank‘s shut down of its US business, the reconstruction
and sale of Allfirst Financial and the astronomical losses of Société Génerale after its
bizarre rogue trade scandal, “large banks have begun collecting data on their own loss
experience and are measuring their operational risk exposure based on these data‖
(Fontnouvelle et al, 2006:1820). The length of time series developed within most
banks is still likely to be short, though.
In this paper we will explore Swedish banks‘ assessment of operational risk exposures
under the Basel II capital adequacy framework. The overall aim is to provide deeper
insights into the capability of banks to identify and measure operational risk exposures
and their choice of method for calculating regulatory capital against such exposures.
The paper is organised as follows: After the introduction, research literature on
operational risk measurement in banking is briefly reviewed with respect to the
definition of operational risk (Section 2) and the methods proposed in the Basel II
accord for determining the capital required for covering a bank‘s exposure to this type
of risk (Section 3). Thereafter the focus is set on Swedish banks‘ experience and use of
4
measurement approaches to assess their exposures to operational risk. In Section 4, the
banks‘ adaptation to Basel II in terms of their choice of approach to measure
regulatory capital against operational risk exposures is examined based on the data
banks provide to the Swedish Financial Supervisory Authority. In Section 5, reasons
behind the banks‘ choice of approach are studied. The focus is on their experience of
operational risk assessment and their response to the new regulation. We follow up
two previously conducted interview based studies on operational risk measurement in
the four largest Swedish banks from 2001 and 2007, respectively. Based on the latest
annual reports of these banks, we explore how they organize their work and processes
in identifying and assessing risk exposures. As all Swedish banks—regardless of
size—are obliged to comply with the new regulation, we also follow up the study of
the ISBs by Lindblom & Olsson (2007) with a questionnaire emphasizing their
operational risk assessment under Basel II. Thereby the paper covers operational risk
assessment not only in the largest, but also in the mid-sized and smallest banks under
Swedish supervision. The paper ends with conclusions in Section 6.
2. Definition of operational risk
Basel II may be seen as a distinct response to a growing line of criticism questioning
the implicit inclusion of operational risks into credit and market risks under Basel I
(Jones & Mingo, 1999; Power, 2005). With the implementation of the new accord the
Basel Committee explicitly recognized the ever increasing exposure to operational
risks of banking firms (Berg-Yuen & Medova, 2005; Wahlström, 2006; Di Renzo et
al, 2007). At the same time it is far from easy to ‗operationalize‘ proper measures for
managing operational risks. The definition of operational risk is crucial and will have
implications for the measurement and control of risk exposures within the banking
industry. However, the definition of operational risk is neither obvious nor
unproblematic and consensus still remains to be reached in research literature. Moosa
(2007) observes a diverse set of definitions in his comprehensive literature review.
Disregarding meaningless ones like operational risk is ‗the risk of operational loss‘ or
‗every type of unquantifiable risk faced by a bank‘, he makes a distinction between
authors who advocate a narrow definition of operational risk (e.g. Turing, 2003) and
those who prefer a more extensive definition (e.g. Herring, 2002). In the latter
category a common approach is to regard operational risk as a residual risk covering
all risks beside credit and market risks. According to Allen & Bali (2007:24) such a
broad definition is suitable for determining economic capital requirements as it
“sidesteps the difficult problem of modelling business activities on a micro level”. On
the other hand, referring to Hadjiemmanuil (2003) and Thirlwell (2002), Moosa (2007)
puts forward that if the definition of operational risk is too vague and open-ended it
will be harder to trace and specify the component factors of operational risk and,
hence, to discern and clarify to what extent realized economic losses are due to
operational failures.
In Basel II operational risk is defined as “the risk of loss resulting from inadequate or
failed internal processes, people and systems or from external events.” (BIS,
5
2005:140) On one hand, this definition is claimed to be too narrow since it does not
include strategic and reputational risks (Chavez-Demoulin et al, 2006; Cummins &
Embrechts, 2006; Fontnouvelle et al, 2006).2 The focus is “on day-to-day loss events
emanating from computer failures and human error, for example, while excluding
catastrophic operational risk events resulting from reputational losses and strategic
business errors” (Allen & Bali, 2007:1193). On the other hand, the definition includes
various types of operational risk exposures in banking business, expected as well as
unexpected losses from these exposures, and even legal risks3. In that respect it may be
regarded as quite broad and highly complex to operationalize in practice as it requires
a wealth of details that may be a problem in itself to put together in banks that have the
ambition to implement a more sophisticated internal measurement method.
3. Operational risk and regulatory capital
Under the first pillar of the Basel II capital adequacy framework a bank may adopt one
of three proposed approaches for calculating the amount of capital to be held with
respect to its exposure to operational risks. These approaches are the ‗basic indicator
approach‘ (BIA); the ‗standardized approach‘ (SA); and the ‗advanced measurement
approaches‘ (AMA).
BIA is the default approach. It is highly unsophisticated and a bank that uses this
approach should calculate the capital requirements for covering its exposure to
operational risks using the following equation:
n
GI
K
n
t
t
BIA1 0tGI , (Eq. 1)
where
BIAK = Capital charge under the basic indicator approach (BIA),
tGI = Gross income (net interest income + net non-interest income) year t,
n = Number of years with positive gross income the past three years,
= Fixed percentage parameter (=15%) determined by the regulator (Basel Committee).
At best BIA does only generate a very rough estimation of the impact of the bank‘s
exposure to operational risks in terms of capital adequacy requirement. The approach
implies that there is a positive correlation between losses due to operational risk
exposure and the annual gross income of the whole bank. The higher the income of the
bank, the greater the likelihood of large losses linked to its exposure to operational
risks. This relationship is of course not necessarily true. A bank‘s annual gross income
may very well decrease in its most risky business lines at the same time as its income
increases even more in its least risky ones. Moreover, it is doubtful whether changes in
2 Strategic and reputational risks are even excluded explicitly by the Basel Committee.
3 “Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damage resulting from
supervisory actions, as well as private settlements.” (BIS, 2005:140)
6
net interest income are positively correlated with a bank‘s operational risk exposure,
particularly in the case these changes are due to higher or lower interest expenses.
Rather we are then more likely to find a negative correlation—if there is any
correlation at all. As Bonsón et al (2007) maintain, BIA is quantifying operational risk
‗blindly‘. Despite this they find a significant positive relationship between operational
losses and gross income in Spanish banks in a study based on accounting data from
2001-2005, albeit their estimated α parameter is lower than 15 per cent.
BIA is mainly intended for smaller banks for which operational risk exposures are
considered to be of only minor importance. Other banks, i.e. mid-sized and larger
banks, are supposed to be more exposed to operational risks. As an alternative to BIA,
they may apply for being authorized to use either a proposed ‗standardized approach‘
(SA) or their own internal risk assessment method provided that it is qualified as an
‗advanced measurement approach‘ (AMA). SA represents an extension of BIA. It is
more fine-tuned when it comes to the determination of regulatory capital. In SA the
banking firm‘s total business is broken down into eight different business lines (i).
These are corporate finance, trading and sales, retail banking, commercial banking,
payment and settlement, agency services, asset management, and retail brokerage.
Some business lines are assumed to be more risky and others less risky than the
average banking business in terms of expected and unexpected losses due to
operational risk exposure. This is reflected by a fixed percentage factor (βi) that is
differentiated between the business lines (see Table 1). Accordingly, the capital charge
will now be dependent on how much of the annual gross income of the bank that is
generated by each specific business line. Under this approach the bank derives
regulatory capital using the following equation:
3
0),(max3
1
8
1t i
iti
SA
GI
K , (Eq. 2)
where
SAK = The capital charge under the standardized approach (SA),
tiGI = Gross income in a given year t business line i,
i = Fixed percentage parameter, set by the regulator, relating the level of required capital to the
level of the gross income for business line i.
Table 1 shows that the fixed β factor of the different business lines varies between 12
and 18 per cent. As stated by Jobst (2007:319) the underlying assumption is that “the
management of operational risk is critical in business lines with high volume, high
turnover (transactions per unit of time), high degree of structural change, and/or
complex support systems, for instance, trading activities, especially if the business
generates low margins, such as transaction processing (clearing and settlement) and
payments-system-related activities”.
7
Table 1 Business lines and beta factors under the Standardized Approach
Source: Bank for International Settlement (2005:143)
Although SA is slightly more sophisticated than BIA, Bonsón et al (2007) argue that
also a bank that uses this approach is more or less quantifying operational risk with
‗eyes closed‘. In fact, they were not able to find any significant positive relationship
between operational losses and the gross income of different business lines in their
study concerning Spanish banks. Still, this approach is most likely to be adopted by
many retail banks as retail banking has been given a β factor below average. Evidently,
a lower factor is motivated even though operational loss events occur very frequently
in retail banking since the severity of each event is only marginal for the single bank
(Fontnouvelle et al, 2006; Garrity, 2007). The picture seems to be the opposite for
trading and sales. There are few loss events but occasionally (and unexpectedly) a loss
may be extremely high for the bank.
The Basel II capital adequacy framework also proposes an ‗alternative standardized
approach‘ (ASA). The gross income as exposure indicator for retail banking and
commercial banking is then replaced by an asset based exposure indicator in terms of
total outstanding loans and advances (Jobst, 2007). The β factors remain the same as
displayed in Table 1, but the factors are subject to correction by a fixed factor m (set to
3.5 per cent by the Basel Committee) in order to adjust for using outstanding loans and
advances as exposure indicator instead of gross income. Accordingly, the capital
charge for regulatory capital is now derived by the following equation:
3
0),(max0),(max0),(max3
1
8
5
3
1
4
3
3
1
2
1 t i
iti
t i
iti
t i
iti
ASA
GILAmGI
K , (Eq. 3)
where
ASAK = The capital charge under the alternative standardized approach (ASA),
tiLA = Outstanding loans and advances in a given year t for business line i (as defined in Table 1), m = Fixed percentage parameter, set by the regulator, when using LA as exposure indicator.
The third approach, i.e. the ‗advanced measurement approach‘ (AMA), is a far more
sophisticated approach than BIA and SA/ASA. With this approach, the internal
operational risk assessment system of the bank will be used for computing an adequate
capital charge with respect to the bank‘s exposure to operational risks. This is in line
with the overall objective of the new Basel accord to better align regulatory capital
8
with economic capital. AMA must be submitted for revision by the supervisory
authority before authorization is given to the bank to adopt it. The qualifying criteria
are carefully specified by the Basel Committee in the Consultative Document on
Operational Risk (BIS, 2001), which contains detailed information on what is expected
by banks, in terms of internal principles and procedures for monitoring, measuring and
managing exposures to operational risks, but also on how regulatory bodies are
supposed to supervise banks.
Banks‘ internal assessment of operational risk exposures under AMA is based on both
qualitative and quantitative criteria. Qualitative criteria are the main basis for the
regulator‘s recurring reviews and controls of the accuracy and credibility of the bank‘s
internal operational risk measurement system, whereas quantitative criteria lay the
foundation for a more accurate determination of regulatory capital. However, these
criteria are not specified what regards “the approach or distributional assumptions
used to generate the operational risk measure for regulatory capital purposes” (BIS,
2006:151). The emphasis is instead on banks‘ capability to demonstrate that their
internal measurement systems can effectively capture expected and unexpected non-
frequent but occasionally very severe loss events due to their exposures to operational
risks. A 99.9th
percentile confidence interval is stipulated. As is illustrated in Figure 1,
this means that a bank‘s exposure to a very extreme loss event may fall outside the
capital charge. However, the bank is expected to hold capital to cover potential losses
from all remaining exposure to operational risk as a consequence of the overall
objective to seek to align regulatory capital with economic capital. Given accurate loss
probability distributions, an adequate capital charge may be derived by summarizing
the value at risk ( iVaR ) of each business line i at the specified confidence level α:
8
1i
i
AMA VaRK , (Eq. 4)
where
AMAK = The capital charge under the advanced measurement approach (AMA) using value at risk,
= Confidence level (set by the regulator to 0.01 per cent).
Figure 1 Operational risk capital under the advanced measurement approach
Source: Jobst (2007:328)
9
The qualifying criteria put pressure on a bank that wishes to adopt AMA to develop
and use adequate quantitative measurement techniques and models, but also to collect
and systematize information from loss events experienced previously. If the
occurrence of certain types of loss events is rare within the bank, it is obliged to
consider and incorporate experiences from these loss events in other banks. This is
truly a challenge for the bank as it has to contemplate the importance of different
characteristics of banks. “This situation leaves banks with little choice but to accept
significant estimation uncertainty in their efforts to approximate operational risk
exposure…” (Jobst, 2007:330). Seven different loss event types are defined and
specified in the Basel II capital adequacy framework (see Annex 9 in BIS, 2006:305-
307).4 This means that banks that are authorized to adopt AMA “must quantify
operational risk requirements for seven types of risk and eight business lines, a total of
56 separate cells, where a cell is a combination of business line and event type”
(Moosa, 2007:183).
In principle three methods are proposed in the Basel II accord for assessing a bank‘s
exposure to operational risks in its different business lines under AMA. The first one is
the loss distribution approach (LDA), which Moosa (2007) considers as a ‗backward-
looking‘ approach. Accordingly, he regards the other two methods, i.e. the scenario-
based approach (SBA) and the scorecard approach (SCA), as ‗forward-looking‘. Jobst
(2007) notes that LDA has emerged as a suitable method for calculating operation risk
capital under AMA. With LDA unexpected losses may be estimated directly from the
total loss distribution. However, this requires detailed information on previous loss
events. As anticipated in BIS (2001) a majority of the banks that adopt AMA will at an
initial phase be likely to use a simplified variant referred to as the internal
measurement approach (IMA). The capital charge is then derived by the following
equation:
ijijij
i j
ijIMAAMA LGEPEEIK
8
1
7
1
, (Eq. 5)
where
IMAAMAK = The capital charge under AMA using the internal measurement approach (IMA),
ijEI = Exposure indicator for event type j in business line i,
ijPE = Probability of event type j in business line i,
ijLGE = Loss given event type j in business line i,
ij = Parameter translating expected loss into unexpected loss of event type j in business line i.
The product of EIijPEijLGEij shows the expected loss in cell ij, i.e. the expected loss in
business line i related to event type j. In equation 5 this loss is then translated into an
estimated unexpected loss by parameter γij. This parameter is provided by the regulator
under the assumption of a linear relation between expected and unexpected losses in
4 These event types are: Internal fraud; External fraud; Employment practices and workplace safety, Clients,
products and business practices; Damage to physical assets; Business disruption and system failures; and
Execution, delivery and process management.
10
each cell. The sum of all ‗transformed‘ expected losses for all event types in each
business line gives a regulatory capital more in correspondence with the true economic
capital. However, a problem is that no consideration is taken to relationships that may
exist between loss events within a business line or between loss events in different
lines. These relationships are likely to vary between banks with different risk profiles.
This implies that equation 5 may be modified into equation 6 by adjusting for the risk
profile of the individual bank. In order to capture divergences in banks‘ risk profiles a
risk profile index (RPI) is suggested in the Basel II capital adequacy framework (see
Annex 5 in BIS, 2001:24-25). RPI is a relative measure comparing the individual
bank‘s loss distribution with the industry wide loss distribution. Hence, if the
individual bank is likely to be more exposed than the average bank to losses of event
type j within a business line i, RPIij > 1. Accordingly, RPIij = 1 if the exposure of the
bank is the same as industry average and less than one if its exposure is below average.
The adjusted capital charge is thus derived by the following equation:
ijijijij
i j
ijRPIAMA RPILGEPEEIK
8
1
7
1
, (Eq. 6)
where
RPIAMAK = The capital charge under AMA with risk profile index for the individual bank,
ijRPI = Risk profile index reflecting the individual bank‘s relative loss distribution.
4. Approaches used by Swedish banks to calculate regulatory capital
At the end of 2007 the Swedish banking industry comprised 126 banks of which 27
banks were subsidiaries to foreign banks (see Table 2). The latter banks are not subject
to Swedish supervision under Basel II.
Table 2 The Swedish banking industry at the end of 2007
Type of bank Number of banks Total assets (MSEK) Commercial banks (of which the big four) 28 2,855,075 (2,597,375)
Foreign commercial banks 4
Foreign banks' subsidiaries 27 679,288
Independent savings banks (ISBs) 65 145,429
Cooperative banks 2
TOTAL 126 3,679,792
Source: Bankföreningen, ”Bank- and finansstatistik 2007 ver 1” and Statistics Sweden, ”Bankernas tillgångar
och skulder efter bank”.
As shown in Table 2 the size of the industry, in terms of total assets, was almost SEK
3.7b, where commercial banks held more than 75 per cent of the assets. Four
commercial banks, Nordea, SEB, SHB and Swedbank, dominate the industry, with
over 70 per cent of the total assets, and may be referred to as ‗the big four‘. The
independent savings banks (ISBs) are the dominants in terms of number of banks
(more than 50 per cent), but these banks are generally small in size. Their operations
11
are mainly in the retail banking business line and each bank is active within a
geographically restricted local market in which it serves households and small and
medium-sized firms. Although being independent, most ISBs are dependent on
Swedbank concerning the administration of payments services. Swedbank is originally
a merger of a number of savings banks, which may explain why it provides services to
the ISBs beside its own business operations.
Basel II was implemented in 2007 and the first quarter of this year was the first time
Swedish banks had to report on their compliance with the new regulatory framework.
With the exception of the foreign banks‘ subsidiaries, every bank that is operating on
the market is required to report its financial and operational risk exposures to the
Swedish Financial Supervisory Authority four times a year, i.e. at the end of each
quarter (see Appendix 2 in FFFS 2007:1). At the end of the fourth quarter, 98 of the
126 banks presented in Table 2 reported to the supervisory authority. Beside the 27
foreign bank subsidiaries, a newly established Swedish bank did not report. It received
its license in 2007 but started its banking operations in 2008. In total, the analysis
below covers 103 Swedish banks, which were all active on the Swedish market in
2007 and reported to the supervisory authority at least at one occasion. The analysis is
based on these banks‘ reports on their operational risk exposures for each quarter of
2007 they were active. The number of banks varies between the four quarters due to
starting-up of new banks, closing down of old ones and M&As.
The compliance reports of the banks disclose which of the approaches proposed in the
Basel II capital adequacy framework each bank has chosen to adopt for calculating
regulatory capital against its exposure to operational risk. Table 3 shows the banks‘
choice of approach on an aggregated level for each quarter of 2007.
Table 3 Approaches used by Swedish banks for calculating regulatory capital against operational risk
Approach for calculating regulatory capital 2007:Q1 2007:Q2 2007:Q3 2007:Q4
Basic indicator approach (BIA) 76 76 76 78
Standardized approach (SA) 10 15 16 17
Alternative standardized approach (ASA) 0 0 0 0
Advanced measurement approach (AMA) 0 0 0 0
Approach not disclosed 15 11 8 3
Number of banks 101 102 100 98
Evidently, the vast majority of the banks have chosen to use the default approach. This
is hardly unexpected since many banks are small in size. The number of banks using
the standardized approach (SA) is increasing, though. This is partly explained by the
fact that several of the banks that initially did not report their exposure to operational
risk have later on chosen to report in accordance with SA.5 Also a few banks that at the
beginning used BIA have changed to report in accordance with SA, but at the end of
2007 still 80 per cent of the banks used BIA.6 The three banks that had not yet
5 Ten banks did not report their exposure to credit risk either in the first quarter of 2007.
6 In total, four banks (all ISBs) have changed from using BIA to SA, but two the banks seem to have changed
back only after one quarter which implies that they did never change approach but just did a reporting error.
12
disclosed their approach to determine regulatory capital against operational risk
exposure at the end of the fourth quarter did not report on their compliance with Basel
II with respect to credit risks either.
Table 3 indicates a gradual transition towards the new Basel II accord in general and
towards the determination of regulatory capital against operational risk exposures in
particular. Every seventh bank did not report its exposure to such risk in the first
quarter. Moreover, only two of the four proposed approaches were being used by the
banks. That none of the banks had chosen to use an internally developed method for
determining regulatory capital against operational risk exposures is, however,
explained by the fact that AMA was not available for the banks as an option for
supervisory approval in 2007. The Swedish Financial Supervisory Authority did only
consider applications for using more advanced measurement methods in 2008 and
thereafter. As is further elaborated in Section 5, some of the larger banks, particularly
the big four, may be expected to use AMA in the future.7
There may be several explanations to why a bank chooses to report in accordance with
one or the other approach in order to measure its exposure to operational risk. Firstly,
two observations imply that there is a learning effect in how the banks report to the
supervisory authority:
The number of banks that reported on their compliance with the new regulatory
framework increased during its implementation year. The first quarter as many
as fifteen banks did not report their exposures to operational risk, whereas only
three of the banks did not do that in the fourth quarter.
The banks’ use of SA was increasing rapidly during the first year with the new
regulation. The number of banks reporting in accordance with SA increased by
70 per cent, whereas the number of banks using BIA was relatively constant
over the year.
Secondly, the size of the bank may have affected its choice of approach, where
especially the larger banks are likely to be interested in using more sophisticated risk
calculation methods. Almost 40 per cent of the commercial banks reported in
accordance with SA, whereas over 90 per cent of the ISBs used the default approach.
Since AMA was not an option during 2007, this implies that large banks should to a
larger extent be expected to use SA rather than BIA. In Table 4, the amount of own
funds reported by the each bank to be hold for capital adequacy purposes at the end of
2007 are used as a proxy for the size of the bank. An index has been created in order to
demonstrate the size effect. As shown in the table the index is 100 for the entire
population and, hence, the index of 32 for banks using BIA reveals that these banks
were on average 68 per cent smaller than the average bank.
7 According to its annual report in 2007, SEB has applied for using an internally developed measurement
approach in 2008 (SEB 2007:34).
13
Table 4 Swedish banks‘ use of measuring approach with respect to bank size at the end of 2007
Both the average and median size indexes strongly suggest that the size of the bank
has affected its choice of approach for calculating regulatory capital against its
operational risk exposure. The much higher median values indicate that there may be a
bias due to the substantially much larger size of the big four. When cleaning for the
big four, the average size index is still 81 and 201 for banks using BIA and SA,
respectively. The indication of a size effect thus remains, albeit the banking groups are
less polarized when excluding the big four.
As expected a bank‘s choice of approach for calculating regulatory capital against its
exposure to operational risk seems to matter for the size of its capital charge. Table 5
shows that the share of own capital to total regulatory capital held by the banks for
covering unexpected losses from exposures to operational risk and total risk,
respectively, was lower for banks reporting in accordance with SA in every quarter of
2007.
Table 5 Share of regulatory operational risk capital to total risk capital in Swedish banks during 2007
Quarter 1 Quarter 2 Quarter 3 Quarter 4
All banks 11.81% 11.88% 11.77% 11.98% Standard deviation 8.40% 8.48% 8.11% 8.05%
Median 10.06% 9.80% 9.83% 9.88%
Number of banks 86 91 92 95
Standardized approach 8.86% 8.77% 9.54% 9.40% Standard deviation 3.76% 2.94% 2.95% 2.75%
Median 9.83% 9.71% 9.82% 9.76%
Number of banks 10 15 16 17
Basic indicator approach 12.20% 12.49% 12.23% 12.54% Standard deviation 8.78% 9.07% 8.77% 8.70%
Median 10.16% 10.13% 9.83% 9.95%
Number of banks 76 76 76 78
According to Table 5, the relative capital adequacy requirement of all banks for
covering operational risk exposures was just below twelve per cent in each quarter of
2007 and did almost not vary at all over the year. Then the variation over time was
higher for banks using SA, but the variation within this group in terms of standard
deviation was much lower than the variation in between banks using BIA. The
relatively lower capital requirements displayed by banks using SA are in line with the
regulatory idea that a more sophisticated approach should lead to a lower capital
charge. The figures in Table 5 are clearly indicating a 22 to 30 per cent higher average
value for the default approach. However, the difference would be even more
pronounced if taken into consideration that the total capital adequacy requirement, i.e.
the denominator, is also affected when a bank uses a more sophisticated approach that
lowers its capital charge against its exposure to operational risks.
Number of banks Index average size Index median size
All reporting banks 95 100 100
Basic indicator approach 78 32 90
Standardized approach 17 411 449
14
5. Reasons behind Swedish banks choice of approach to measure operational risk
In an early study of operational risk measurement in Swedish banks based on 23
unstructured interviews with top managers within the four listed banks in Sweden in
2001 (i.e. the big four), Wahlström (2006) concludes that the respondents of the banks‘
(p. 512); “revealed serious problems in measuring operational risk”. In three of the
banks, the respondents were in general doubtful whether they had yet been able to
develop an appropriate internal approach for measuring their bank‘s exposure to
operational risk. According to one of the respondents (p. 508); “It is extremely difficult
to put a quantitative figure on this type of risk, since we have an enormous number of
transactions in the bank”. Another respondent maintained (p. 511); “We have
professors in mathematics and they develop models for measuring risk, but, in spite of
this, we have still had two big crashes.” Nevertheless, Wahlström finds strong support
amongst the respondents for the new Basel accord. One of the respondents explicitly
acknowledged (p. 508); “It is of vital interest to us to develop our understanding of
operational risk.”
In a more recent study of the big four‘s calculation and measurement of operational
risk exposure, Pamp & Stenudd (2007) largely arrive to similar conclusions as
Wahlström. They conducted semi-structured interviews with a chief risk officer of
each bank at the beginning of 2007 when the new regulatory framework had just been
implemented. All respondents thought that it was positive that the banks now were
forced to assess their operational risk exposure, even though one of them asserted that
the bank would have managed quite well without this part of the new regulation.
Another respondent claimed that the implementation of the new regulatory framework
was not optimal. The respondent believed it was to fast and that a stepwise
implementation over ten to fifteen years would have been more preferable, albeit the
encouraging of banks to strengthen their capability in identifying and measuring
operational risk exposures was still considered important and most urgent. In only one
of the banks, the respondent declared that the bank had applied to the supervisory
authority for using an internal operational risk measurement method in accordance
with AMA. The use of a more sophisticated internal risk model was regarded as
natural since the bank had worked actively with its risk management after the banking
crises in the early 1990s and already in 1995 a special operational risk unit was
established in the bank. In the three other banks, the work with operational risks was
reported to have changed considerably after the initial presentation of the Basel II
capital adequacy framework at the beginning of the 2000s. In all these banks, SA had
been chosen for calculating regulatory capital against operational risk exposures. In
two of the banks, the respondents explained that it was still to early for them to adopt
AMA as it was difficult and expensive to develop a more sophisticated internal risk
method in accordance with the regulatory requirements. One of the respondents
maintained that these requirements were far from clear-cut. However, although the
capital charge for operational risk was believed to have been lower if the bank had
used AMA the charge was still regarded as marginal in relation to the total capital
adequacy requirement. The other respondent made clear that SA was chosen before
BIA because the bank was mainly active in the retail banking business line. The
15
respondent in the third bank was not convinced that it would have played any
difference had the bank chosen BIA instead of SA since neither approach is related to
the bank‘s operative management of risk exposures.
The picture provided by Wahlström (2006) and Pamp & Stenudd (2007) is further
manifested in the annual reports of the banks after the first year under the Basel II
capital adequacy framework. Studying the annual reports of 2007 of the big four with
particular emphasis on how they organize their work and processes in identifying and
assessing risk exposures, we find that the main effort of the banks is still on identifying
and quantifying exposures to credit risk. However, in all reports operational risk
assessment is discussed with respect to measurement approaches and internal
processes for managing the bank‘s exposures to such risk. It is evident that the
organization of the bank plays a significant role for its risk assessment processes.
SHB, which is recognized for having a decentralized organization and a low risk
profile, has adopted a decentralized risk management system based on risk assessment
at the branch level. However, to complete the system a central risk control unit is
coordinating the risk assessment of the branches. This unit also serves the branches by
developing adequate models for identifying and quantifying exposures to operational
risk. This can be compared to the other banks in which specific central risk control
units seem to manage risk assessment processes on various organizational levels more
in detail. The organizational level in focus varies between the banks, though.
Swedbank focuses on business unit evaluation, whereas SEB focuses on divisions and
Nordea on customer, product and group function levels. The focus of the banks also
impacts on their self assessments, which are conducted on the organizational level
concerned. A central risk control unit or committee summarizes and informs the board
of directors that have delegated the responsibility for the risk control process.
Continuous reporting within Swedbank and SEB (in the latter bank 23 committee
meetings were held in 2007) is here contrasted by the other two banks reporting only
one or two times a year. The central risk control unit‘s processes of setting up
standards for the risk control operations on lower levels are usually integrated in a
technological system where the banks try to capture the occurrence of exposures to
operational risk in the bank. In two of the banks this process is described as a way of
trying to learn from previous mistakes by systematically collecting and analyzing
historical data in an internal data base. SEB, for instance, collects risk related
occurrences both inside and outside the organization (p.39); ―The system enables all
staff in the Group to register risk-related issues and management at all levels to
assess, monitor and mitigate risks and to compile prompt and timely reports.”
In addition to the self assessments and continuous operational risk assessment of
current events, the banks also conduct separate assessments regarding new or changed
products, processes and services in order to strengthen the organizational preparedness
to take actions if an unexpected outcome occurs. This includes infrastructure
investments for reducing operational risks mainly in for example Internet banking.
Table 6 summarizes our findings what regards the banks‘ organization of internal
processes for operational risk management.
16
Table 6 Operational risk management in the big four banks according to annual reports of 2007
Bank Nordea SEB SHB Swedbank Internal risk
management strategy
(OR)
Central internal policy
control and risk
management.
Division level with a
central risk and capital
committee.
Decentralized with
central risk control.
Business unit with an
independent central
risk control unit.
Bank risk profile n.a. n.a. Low risk profile. Neutral risk profile.
Self Assessments Customer area, product
area and group function.
Division level.
Branch level.
Business unit.
Technology n.a. Report system. All
employees. Key ratio
analysis.
Report system. n.a.
Reporting to top
management
Committee reporting to
the board meeting once
a year.
Frequent committee
meetings which are
reporting to the board.
Report to board
meetings two times a
year.
Continuously reporting
to the CEO and board
meetings.
Source: Annual reports of 2007 of Nordea, SEB, SHB and Swedbank.
In an attempt to complement the studies of the big four, we conducted a questionnaire
based survey in the mid of 2007 to find out the experience of operational risk
assessment within Swedish savings banks. The questionnaire was mailed to 80 banks;
68 ISBs and twelve former savings banks that recently converted to limited banks,
referred to as commercial banks in Table 2. As shown in Table 7, the response rate
was 33.8 per cent or 27 banks of which 22 ISBs and five former savings banks. Also
shown in the table, the distribution of the responding banks matches the total
population rather well. The size of the ISBs seems to be somewhat higher amongst the
responding banks, whereas the average size of the former savings banks is higher for
the total population.
Table 7 Characteristics of responding banks and banks in the total population
Total population Responding banks
ISBs Ltd banks Total ISBs Ltd banks Total
Response rate - - - 32.3% 41.7% 33.8%
Proportion of total 85% 15% 100% 81.5% 18.5% 100%
Banks using SA 7.4% 50% 13.8% 9.1% 60% 18.5%
Average bank size (assets) SEK2,072m SEK5,087m SEK2,608m SEK3,201 SEK3,393m SEK3,237m
Number of employees (average) 38.5 97.3 47.3 57.2 61.8 58.0
Number of branches (average) 3.2 6.5 3.7 4.2 4.4 4.2
Number of banks 68 12 70 22 5 27
In the questionnaire the respondents were asked to express their opinion about the new
regulatory framework with respect to its impact on the bank‘s capital adequacy
requirement and operational risk assessment as well as the reason for the bank‘s choice
of approach for calculating regulatory capital against its exposure to operational risk.
Starting with the latter, most banks have chosen BIA because it is easy to use. Many
respondents claim that the bank does not require any sophisticated method and that it
is not worth the effort to make a more sophisticated analysis of the bank‘s exposure to
operational risks. In three of the five banks using SA, the respondent declared that the
bank was either in alliance with, or partly owned by, Swedbank. These banks were
thus former savings banks that had converted into limited banks. The reasons behind
the two ISB‘s choice of using SA were similar. One of the respondents motivated the
17
use of SA by emphasizing the importance of increasing the internal understanding of
the bank‘s exposure to operational risk and improving the risk control of the bank. The
other respondent argued that regardless of approach the bank would have to go
through this process anyway implying that the bank would have otherwise made the
calculations for internal purposes. Also in other ISBs, using BIA, some respondents
claimed that SA was used for internal purposes and that the bank was likely to change
to this approach in the future. Many respondents stressed the importance of improving
the knowledge of operational risk assessment within the bank. In that respect also
respondents in ISBs and former savings banks were positive to new regulatory
framework. In almost nine out of ten banks (89 per cent), the respondent claimed that
the bank had increased its internal skills in managing operational risk exposures. This
seems to be the case regardless of approach chosen for calculating regulatory capital
against such exposures. Mostly, banks increase the knowledge and awareness about
operational risks throughout the organization. In 25.9 per cent of the banks, the
respondent answered that the bank has increased its capability to price operational risk,
but only two respondents acknowledged that the bank had actually made any changes
in its price strategy. Several of the respondents (18.5 per cent) were uncertain about
the effect on the bank‘s pricing, whereas the remaining respondents (55.6 per cent)
declared that the bank had not increased its capability of pricing operational risk
The estimation of capital adequacy requirement provides a mixed experience for the
banks. On one hand, more than 50% of the respondents claimed that the operational
risk exposure of the bank is proportional to its exposure to other risks. On the other
hand, in almost 60 per cent of the banks the respondent argued that the capital
adequacy requirement for operational risk exposures was too high with respect to the
business activities of the bank. Only one respondent thought that the capital charge
was too low. From these answers, it may be surprising that in five banks the
respondent revealed that the bank actually requires more capital from its internal risk
(ICAAP) requirement than the legal requirement.
6. Conclusions
The new Basel accord seems to have a major impact on the risk management of banks
in general, and on their assessment of exposures to operational risk in particular. Our
findings imply the vast majority of the Swedish banks are only halfway in their work
to adequately identifying, measuring and managing operational risk exposures. Even if
the banks have always been exposed to such risks, only one bank has acknowledged
that it is going to use an internally developed method for calculating regulatory capital
against operational risk, i.e. provided that the method is approved by the supervisory
authority. No other bank has yet applied for using a more sophisticated method in
accordance with the advanced measurement approaches (AMA) proposed in the Basel
II capital adequacy framework. However, in most Swedish banks, not only within the
larger commercial banks but also within smaller and mid-sized savings banks, the
management appears to be strongly in favour of the new regulation‘s emphasis on
operational risk. There is a clear willingness to learn more and increase the general
18
knowledge within the organisations in order to improve the assessment of exposures to
operational risk. Many banks that report on their compliance in accordance with a
simpler approach are using a more sophisticated method for internal purposes.
It is of course too early to draw any far-reaching conclusions on the effect of Basel II
on Swedish banks‘ capital adequacy requirement only after one year. So far the effect
has been marginal in this respect. Most banks hold much more capital than required
and according to our findings the main concern within the banks has not been directed
towards determination of regulatory capital, albeit respondents of most ISBs did think
that the requirement was too high with respect to the bank‘s business activity. The
focus of the banks has instead been put on the need to strengthening their internal
capability for managing operational risks. As the way banking business is evolving,
this focus may seem rational. However, it is not unlikely that the concern within the
banks will change towards the effect on regulatory capital in times of recession.
References
Allen, L. & T.G. Bali (2007). Cyclicality in catastrophic and operational risk measurements, Journal
of Banking and Finance, 31(), pp. 1191-1235.
Aparicio, J. and E. Keskiner (2004). A Review of Operational Risk Quantitative Methodologies Within
the BASEL-II Framework, Accenture Technology Labs, Sophia Antipolis, France.
Avery R.B. and A. Berger (1991). Risk-based capital and deposit insurance reform, Journal of
Banking and Finance, 15(4/5), pp. 847-874.
Bank for International Settlement, BIS (2001). Operational Risk: Supporting Document to the New
Basel Capital Accord, Basel Committee on Banking Supervision, Basel, Switzerland, January.
Bank for International Settlement, BIS (2003). Quantitative Impact Study 3 – Overview of Global
Results, Basel Committee on Banking Supervision, Basel, Switzerland, May.
Bank for International Settlement, BIS (2005). Basel II: International Convergence of Capital
Measurement and Capital Standards: a Revised Framework, Basel, Switzerland, November.
Bank for International Settlement, BIS (2006). Basel II: International Convergence of Capital
Measurement and Capital Standards: A Revised Framework - Comprehensive Version, Basel,
Switzerland, June 2006.
Bergendahl, G. and T. Lindblom (2007). Risk Management in Banking – A Review of Principles and
Strategies, in Eds. Rao H.R., M. Gupta and S. Upadhyaya; Managing Information Assurance
in Financial Services, IDEA Group Inc.
Berg-Yuen, P.E.K. & E.A. Medova (2005). Economic capital gauged, Journal of Banking Regulation,
6(4), pp. 353-378.
Bonsón, E., T. Escobar and F. Flores (2007). Sub-Optimality of Income Statement-Based Methods for
Measuring Operational Risk under Basel II: Empirical Evidence from Spanish Banks,
Financial Markets, Institutions & Instruments, 16(4), pp. 201-220.
Calem, P.S. and M. Lacour-Little (2004). Risk-based Capital Requirements for mortgage loans,
Journal of Banking and Finance, 28(3), pp. 647-672.
Chavez-Demoulin, P. Embrechts & j. Neŝlehová (2006). Quantitative models for operational risk:
Extremes, dependence and aggregation, Journal of Banking and Finance, 30, pp. 2635-2658.
Cummins, J.D. and P. Embrechts (2006). Introduction: Special section of operational risk (Editorial),
Journal of Banking and Finance, 30(10), pp. 2599-2604.
19
Di Renzo, B., M. Hillairet, M. Picard, A. Rifaut, C. Bernard, D. Hagen, P. Maar and D.Reinard
(2007). Operational Risk Management in Financial Institutions: Process Assessment in
Concordance with Basel II, Software Process Improvement Practice
(www.interscience.wiley.com) DOI: 10.1002/spip.322.
Flores, F., E. Bónson-Ponte and T. Escobar-Rodríguez (2006). Operational risk information system: a
challenge for the banking sector, Journal of Financial Regulation and Compliance, 14(4), pp.
383-401.
Fontnouvelle de, P., V. Dejesus-Rueff, J.S. Jordan and E.S. Rosengren (2006). Capital and Risk: New
Evidence on Implications of Large Operational Losses, Journal of Money, Credit and
Banking, 38(7), pp. 1819-1846.
Garrity, V. (2007). Developing and Implementing an Operational Loss Data Collection Program, Bank
Accounting & Finance, August-September, pp. 3-9.
Garside, T. and J. Bech (2003). Dealing with Basel II: the impact of the New Basel Capital Accord,
Balance Sheet, 11(4), pp. 26-31.
Hadjiemmanuil, C. (2003). Legal Risk and Fraud: Capital Charges, Control and Insurance, in
Operational Risk: Regulation, Analysis and Management, (Ed.) Alexander, C, Prentice Hall-
Financial Times, London, pp. 74–100.
Hendricks, D. and B. Hirtle (1997). Bank Capital Requirements for Market Risk: The Internal Models
Approach, Economic Policy Review (Federal Reserve Bank of New York), 3(4), pp. 1-12.
Herring, R.J. (2002). The Basel 2 Approach to Bank Operational Risk: Regulation on the Wrong
Track, Unpublished paper, University of Pennsylvania.
Jobst, A.A. (2007). The treatment of operational risk under the New Basel framework: Critical issues,
Journal of Banking Regulation, 8(4), pp. 316-352.
Jones, D. (2000). Emerging problems with the Basel Capital Accord: Regulatory capital arbitrage and
related issues, Journal of Banking and Finance, 24(1/1), pp. 35-38.
Jones, D. and J. Mingo (1999). Credit risk modelling and internal capital allocation processes:
Implications for a models-based, Journal of Economics & Business, 51(2), pp. 79-108.
Lastra, R.M. (2004). Risk-based capital requirements and their impact upon the banking industry:
Basel II and CAD III, Journal of Financial Regulation and Compliance, 12(3), pp. 225-239.
Lindblom, T. and M. Olsson (2007). Bank Capital and Loan Pricing - Implications of Basle II, in
Frontiers of Banks in a Global World, (Eds) Molyneux, P. & E.Vallelado, Palgrave
MacMillan, Hampshire, pp. 78-102.
Marquardt, R. (2000). Finansmarknad i förändring. Stockholm, Svenska Bankföreningen.
Moosa, I.A. (2007). Operational Risk: A Survey, Financial Markets, Institutions & Instruments, 16(4),
pp.167-200.
Nordea (2007). Nordea Annual report, Stockholm 2008.
Olsson, M. (2006). Fast rotad är den trygghet som bygges på sparade slantar - om mål i den svenska
sparbanksrörelsen. Handelshögskolan, Göteborgs universitet.
Pamp, K. & O. Stenudd (2007). Operativ risk under Basel II - En kvalitativ studie av de svenska
storbankernas val av beräkningsmetod för operativ risk, Master thesis in Industrial and
Financial Management at the School of Business, Economics and Law, University of
Gothenburg.
Power, M. (2005). The invention of operational risk, Review of International Political Economy,
12(4), pp. 577-599.
Raghavan, K.R. (2006). Internal Control and Operational Risk: FDICIA, Sarbanes-Oxley and Basel II,
Bank Accounting and Finance, April-May, pp.3-9.
Rowe, D., D. Jovic and Reeves, R. (2004). The continuing saga – Basel II developments: bank capital
management in the light of Basel II – how to manage capital in financial institutions. Balance
Sheet, 12(3), 15-21.
20
SEB (2007). SEB Annual Report 2007, Stockholm 2008.
SHB (2007). Svenska Handelsbanken Annual Report 2007, Stockholm 2008.
Swedbank (2007). Swedbank Annual Report 2007, Stockholm 2008.
Thirlwell, J. (2002). Operational Risk: The Banks and the Regulators Struggle, Balance Sheet, 10(2),
pp. 28–31.
Turing, D. (2003). The Legal and Regulatory View of Operational Risk, in Advances in Operational
Risk: Firm-wide Issues for Financial Institutions, (2nd
ed.), London: Risk Books, pp. 253-256.
Wahlström, G. (2006) Worrying but accepting new measurements: the case of Swedish bankers and
operational risk, Critical Perspectives on Accounting, 17, pp. 493-522.
Wilson, I. (2004). Implementing Basel II: A case study based on the Barclays Basel II preparations,
Journal of Financial Regulation and Compliance, 12(4), pp. 297-305.
Wold, M. (2006). Basel II Moves Operational Risk Into the Open, Securities Industry News, 18(33) p.
22.
